light_mode “Let your light shine before others.” — Matthew 5:16 (NET)

Christ-honoring DNS filtering

Bright, simple protection for the Church, families, and every believer.

GraceDNS now lives entirely on Cloudflare Workers and serves every tier through DNS-over-HTTPS, so churches and families get private, faith-aligned filtering without maintaining hardware.

See the tiers Read the mission

We never log DNS queries. Every tier is DNS-over-HTTPS only, so use a compatible client or helper app when your platform cannot speak HTTPS DNS on its own.

church

The Church

Congregations and ministries can roll out filters with simple, printable endpoints.

family_restroom

Families

Parents set one tier on the router and every phone, TV, and tablet follows.

person

Individuals

Believers on the go can point laptops and phones to GraceDNS in under a minute.

Why we serve

Keeping the Church, families, and individuals holy, hopeful, and simple

GraceDNS exists for pastors, parents, and everyday believers who just want wholesome internet without a rocket science manual. We quiet the noise so disciples can delight in Jesus online and offline.

volunteer_activism

Serve the Church

Printable quick-starts help congregations and ministries deploy safe browsing without IT staff.

family_restroom

Equip Families

Three gentle tiers let parents choose the right balance of compatibility, conviction, and calm.

person

Empower Individuals

Simple instructions let any believer point a single phone or laptop to a Christ-honoring resolver.

school

Guide Classrooms

Small schools and co-ops can match each room to a tier without extra software or licenses.

Plans for every household

Choose the path that fits

Each tier builds on the last. Copy the DNS-over-HTTPS URL, the DNS-over-TLS hostname, or both—then drop them into the helper your platform uses, whether it is Private DNS, a router, DoH app, or profile.

Which path/filter/tier is right for me?

Start with the scenario that sounds most like your home, congregation, or household. We will surface the right setup URLs and download links instantly.

Eden

Gentle baseline fed by broad malware, phishing, and tracker intelligence with a light-touch policy.

  • Cuts off payload delivery and credential traps
  • Silences trackers, analytics, and telemetry tied to those threats
  • Designed to keep breakage low on mixed networks
lock

Primary encrypted resolver for Eden—paste into any DoH-aware app, router, or profile.

dns

Hostname for Android Private DNS or other DoT clients (port 853).

ios_share Download iOS profile

Sinai

Builds on Eden with explicit content, gambling, proxy/VPN bypass points, and piracy domains. SafeSearch enforced.

  • Extends Eden with explicit and wagering safeguards
  • Stops proxy, VPN, and encrypted-DNS bypass relays
  • lockBlocks piracy mirrors while forcing SafeSearch
lock

HTTPS endpoint for Sinai—use wherever you need SafeSearch and stricter content rules.

dns

Preferred Private DNS/DoT hostname when you want Sinai’s policy over TLS.

ios_share Download iOS profile

Zion

Everything in Sinai plus the most aggressive baseline and a dedicated sweep against full-spectrum advertising stacks.

  • Shuts down ad networks, telemetry, and push beacons
  • Keeps the malware, phishing, adult, gambling, piracy, and bypass blocks from earlier tiers
  • Turns down monetized CDNs and autoplay trackers so devotionals and studies stay distraction-free
lock

Zion’s DoH endpoint for routers, helper daemons, or profiles; expect stricter ad blocking.

dns

DoT hostname for Zion when Android Private DNS or TLS firewalls need the aggressive ad tier.

ios_share Download iOS profile

Glory

Stacks Zion with an extreme wildcard sweep that silences telemetry brokers, referral loops, and device analytics for locked-down installs.

  • Everything from Zion plus a hand-curated wildcard sweep for stubborn telemetry and referral brokers
  • Microsoft 365 cores stay allowlisted, yet certain SSO helpers or social apps may need patience
  • Reserved for believers who want nearly every telemetry and referral call silenced despite extra breakage
lock

Glory’s DoH endpoint for kiosks, chapels, or any lockdown profile.

dns

DoT hostname for Glory when you need the wildcard sweep over TLS.

ios_share Download iOS profile

Setup in minutes

How to use GraceDNS

GraceDNS now speaks both DNS-over-HTTPS (DoH) and DNS-over-TLS (DoT). Copy whichever endpoint your device expects, then follow the playbook below to feed it into profiles, Private DNS, helper daemons, or routers.

phone_android

Android (Private DNS / DoT)

  1. Open Settings → Network & Internet → Private DNS (path varies by manufacturer).
  2. Select Private DNS provider hostname.
  3. Enter the DNS-over-TLS hostname for your tier (for example, sinai.gracedns.org) and save; Android now tunnels over DoT.

Need a fallback for older devices? Apps like Intra or Nebulo still work by pasting the DoH URL instead.

phone_iphone

iOS & iPadOS (mobileconfig)

  1. On the device, tap the Download iOS profile button for your tier (or open https://sinai.gracedns.org/mobileconfig).
  2. Tap Allow, open Settings → Profile Downloaded, and install the profile (passcode required).
  3. Approve the remote DNS notice; iOS now tunnels lookups over DoH to https://sinai.gracedns.org/dns-query (or your chosen tier).

Switch tiers any time—each hostname serves a fresh, signed .mobileconfig with the right headers, so no manual editing is required.

laptop_mac

macOS & visionOS

  1. AirDrop or download the same GraceDNS Sinai profile to your Mac.
  2. Go to System Settings → Privacy & Security → Profiles and click Install….
  3. Authenticate and confirm; macOS now enforces DoH for every network interface.

MDM suites can deploy the worker-hosted profile (e.g., https://sinai.gracedns.org/mobileconfig) org-wide with your preferred tier URL.

laptop_windows

Windows 10/11 (cloudflared)

  1. Download cloudflared and open PowerShell.
  2. Run cloudflared proxy-dns --address 127.0.0.1 --port 53 --upstream https://sinai.gracedns.org/dns-query (swap tiers as needed).
  3. In Windows Settings, set your adapter’s DNS server to 127.0.0.1 so every lookup rides the DoH tunnel.

Any DoH stub resolver (AdGuard Home, Technitium, dnscrypt-proxy) works the same way.

router

Routers, Pi-hole & firewalls

  1. Enable the DoH or DoT client inside your router/UTM (pfSense, OPNsense, MikroTik, AdGuard Home, Pi-hole + cloudflared).
  2. Paste the GraceDNS DoH URL or DoT hostname into the upstream/forwarder field, matching what the firmware expects.
  3. Point LAN DHCP DNS to the router so every device inherits your chosen tier.

Keep Eden as a fallback upstream in case you need quick allowlisting while you test Zion or Glory.

school

Chromebooks & shared devices

  1. Deploy the GraceDNS mobileconfig, DoH helper, or DoT policy through Google Admin, Intune, or your MDM.
  2. Lock the network settings so students cannot disable the encrypted DNS client.
  3. Rotate between Sinai/Zion/Glory by updating the managed configuration.

Need help? Email hello@gracedns.org for quick-start PDFs.

Glory is intentionally brutal—expect Microsoft 365, Meta, referral links, and app stores to break. Always keep Sinai or Zion handy for normal browsing.

Clear convictions

What we filter

spa

Eden

  • Light-touch baseline for broad ads, tracking, and nuisance domains
  • Malware payload hosts and droppers
  • Credential-harvesting kits and phishing pages
  • Analytics and telemetry tied to those feeds
church

Sinai

  • Everything in Eden
  • Explicit content libraries
  • Gambling and wagering portals
  • Proxy, VPN, and encrypted-DNS bypass endpoints
  • Piracy and illegal distribution hubs
  • SafeSearch enforced everywhere
auto_stories

Zion

  • Everything in Sinai
  • Full-spectrum advertising stacks and retargeting networks
  • Cross-app analytics, telemetry, and push campaigns
shield_lock

Glory

  • Everything in Zion
  • Ultra-aggressive wildcard sweep for telemetry and referral brokers
  • Dedicated focus on Meta, Microsoft (non-core), and app-store tracking stacks
  • Expect breakage—plan allowlists and fallback tiers

Rooted in Scripture

One promise for Eden, Sinai, Zion, and Glory

“Whatever you do, in word or deed, do it all in the name of the Lord Jesus.”

This single call from Colossians 3:17 steers individuals, families, and the whole Church as we filter the web.

Colossians 3:17 (NET)

Support the mission

GraceDNS stays free because the Body shares the load

We run GraceDNS because it serves churches, families, and students—not because it turns a profit. Gifts remain optional; they simply help us cover hosting, storage, and the time spent curating blocklists. If you want a gentle guideline, think $5/year per individual, $15/year per household, or $3/student/year for schools—give what fits your situation, or nothing at all.

Helps add new blocklists
Funds redundant resolvers
Serves small churches

GraceDNS isn’t a non-profit, so gifts aren’t tax-deductible and can’t be refunded. Stripe emails a receipt immediately, and the button stays here whenever you feel led to chip in.

Need a custom invoice? Email us.

Need clarity?

Frequently asked questions

What’s the difference between tiers?

Eden is a light-touch baseline anchored by malware, phishing, and tracker intelligence; Sinai adds explicit, gambling, bypass, and piracy protections plus SafeSearch; Zion layers on the aggressive ad-network sweep; Glory piles an ultra-aggressive wildcard tier that crushes telemetry/referral brokers and demands careful allowlisting.

Will ad blocking break anything?

Often. Zion already interrupts monetized CDNs, telemetry calls, and certain login helpers—Glory goes even further by silencing referral chains, Meta logins, WhatsApp avatars, Xbox achievements, and many SSO helpers. Microsoft 365's core domains are allowlisted, but plan to drop to Sinai or Eden when a service expects tracking to function.

Which tier should families start with?

Start with Sinai so explicit, gambling, bypass, and piracy hosts stay blocked; keep Eden for devices that need near-zero breakage, use Zion for chapels, kiosks, or study spaces that demand ad-free screens, and reserve Glory for locked-down installs with an admin ready to maintain allowlists.

What data do you see?

Resolvers must see the domains you ask for, but we immediately drop them—no logs, analytics, or sales. We only accept encrypted DNS (DoH or DoT), so once your helper connects, every hop stays encrypted between you and our Cloudflare Workers.

How do I switch tiers?

Copy the DoH URL or DoT hostname for the new tier, paste it into your helper app, profile, Private DNS, or router, and save. Most DoH/DoT clients switch tiers instantly without a reboot.

Is this only for churches?

No. GraceDNS is free for homes, ministries, and small schools. Businesses can reach out for a conversation.

Stewardship

GraceDNS is owned by Ole Brook Web Services

Ole Brook Web Services, based in Mississippi, crafts dependable tools for churches and small businesses. GraceDNS is one of our gifts to the wider Body of Christ.

Visit olebrookwebservices.com
Copied to clipboard.